UDP DDoS protection with pfSense

johnpoz

"n the front or in the middle nut no one was talking about the end!"

Yeah dude we are talking about the END.. This poster can not put devices at his ISP connection…  Read what the OP is asking.. Sorry there is NO box you can put at the end of the pipe to stop the pipe from being full..

There is no magic.. If ISP sends you traffic that fills your pipe is FULL there is nothing your end can do about it.. No magic box to fix it..  Be it pfsense firewall, or some 1 Million Dollar super firewall..  Now what you can do is have a box on your end that detects the ddos and adjust routes upstream, etc.  Look into radware I mentioned.

Why don't you read a bit about that smartwall your touting and where it gets placed.. It sure and the F is not placed at the end of the pipe..  Those devices are for host providers, ISPs or LARGE enterprises to put in their cores..  They are not something a end user small company buys that they place at their location.

Guest

So a used or refurbished device that was announced for sale I´ve seen, was not $2.500 which could
be a fair price to get rid of this DDoS attacks also for smaller but very busy companies as I thought it
would be a really good deal.  ::)

Real world Prices:

• Corero IPS 5500 ES-Series is starting at ~$25.000,00  :-[
• Corero SmartWall middle till large devices (40 GBit/s) is starting at ~$250.000,00  :-[

Ok this devices would be doing the job, but only for Enterprise companies and middle or larger ISPs.  ::)
For sure you were right johnpoz.

Also the A10 Thunder TPS Series is starting at ~$195.449,00 so preventing from DDoS would be
a super game but only for big players as i see it right. And trust me this boxes must be working!
Akamai.net was spending nearly ~$370.000.000,00 for hardware and equipment to handle proper
those DDoS attacks.

Nullity

@johnpoz:

…
There is no magic..
...

lol

Those damn "DDoS defenderers" … what do they do, aside from being exclusive and expensive? Do thsy employ quantum entanglement or Cat7 Mobius cables?

hda

Nah not CAT-7 QE Mob quality, they cooperate for a business model ;) Akamai's costs will be billed to layer-8.

johnpoz

What I would like to know is what the OP was reading that pointed him to pfsense mitigating attacks?

"i found online to go with pfSense, i saw many people mitigating attacks with it too"

There are lots of threads here asking the same thing - and they always get the same answer, you can not stop a DDOS with a firewall..  So either he was not reading the full thread/article or misread the information?

If the OP business is so critical and of nature that ddos is of concern, they need to host services out of location that you can protect against it, not at your location at the end of a fiber connection provided by an ISP that doesn't provide any sort of ddos mitigation services.  And from the sounds of it - not even a firewall??

This is the scary part
"maybe some way to plug that main media converter Ethernet wire into firewall, but then what will be its wan ip? so confusing!"

How is this guy running a company based upon providing services connected to the internet?? I just don't get it…

Gertjan

Running a "very sensitive business" from 'home' ??
I don't know what 'sensitive' is, but I would run any serious (critical) business from a serious server, placed on a 'serious' spot, like a good data center.
If you use a good host, think about putting another serious 'tool' in front of it, like CloudFare (just to name one).

I know my 'hosting company' eats 500 Gbits DDOS like cake so I never needed 'ClouldFare', or comparable, services.
Putting yourself behind ONE incoming without protection upfront just offers you one solution : they null-route you to protect their own (== ISP) network.

Harvy66

Well should all know that any attack that consumes all of your bandwidth is impossible to stop at the edge, so lets rephrase the question to something useful and remove bandwidth from the equation. If one had an infinite amount of bandwidth, how well would PFSense hold up to a DDOS?

Gertjan

@Harvy66:

…. If one had an infinite amount of bandwidth, how well would PFSense hold up to a DDOS?

Using this one or this one ? ;)
I guess the question will narrow down about how FreeBSD 10.x acts when DDOSed.
The firewall pf being used is  the one present in the native FreeBSD (probably with some advancements, thought).

I understand your question, but you will probably find a final answer like "the role of a a router / firewall device in front of a LAN" isn't 'eating ddos'.

Harvy66

In theory the limiting factor should be PPS. FreeBSD and PFSense both have some ambitious goals to allow line rate 40Gb stateful packet filtering, and even beyond. If you don't have the bandwidth, then you absolutely have to have a 3rd party service.

NOYB

@Gertjan:

Running a "very sensitive business" from 'home' ??

Didn't see where the OPer said anything about running business from home.  Did I miss that?

doktornotor

None. pfSense is not a place to protect from DDoS. (And someone kindly lock this, the previous 50+ pages shit was just enough.)

NOYB

@doktornotor:

None. pfSense is not a place to protect from DDoS. (And someone kindly lock this, the previous 50+ pages shit was just enough.)

Is someone forcing you to read and respond?  Web forums in this regard are somewhat like TV where you have control of the on/off switch and channel.  The big difference is that the content is user generated.  But the viewing and responding is still under your control.

I like hearing what people have to say…  so long as it is respectfully communicated and I can turn it off at will.  Why should others be denied due to your own lack of discipline over the on/off switch?

Harvy66

@doktornotor:

None. pfSense is not a place to protect from DDoS. (And someone kindly lock this, the previous 50+ pages shit was just enough.)

I guess a better question is how many PPS of blocked or new state traffic should we expect PFSense to handle given a modern quad or octal core CPU. I know there is a line rate initiative for PFSense for 40Gb+ rates that is probably 3+ years off, no doubt some of that needs many of the upcoming FreeBSD network stack SMP improvements. Some really cool stuff coming that should allow FreeBSD to scale near linearly with cores.

Guest

@doktornotor

(And someone kindly lock this, the previous 50+ pages shit was just enough.)

On one side I am with you, that a closed and locked thread should be not warmed up or onyl
tiny pushed to another on and then goes on without taking advantage from the admin´s advice.

But mostly this also is owed to the owed kind and taken manner a thread goes or will be going.
Also the style and way the thread is lead will be a respectful point to watch out.

@NOYB
I consider but then also not falling back to the way the last thread about this theme was running.

@Harvy66
If the big players in this game are using extra or special hardware, mostly or often based on the
Tilera many core cpu´s (Tile-GX) why thinking it can be done in other cases with software only?
Lanner is offering a bigger appliance like the FW-889x and a NCS-MTX401 add in card and on
this card it can be installed and running a SMP Linux that is able to offload 20 GBit/s - 40 GBit/s
packet processing related to the kind of work for sure, likes DPI, IDS/IPS, VPN crypto stuff.

So FreeBSD and/or pfSense are nor really involved in this game and can be easily native installed on those
machines or as one or more in a VM on a host like this, but owed to the fiber bypass mode, it is able to
sort out many traffic likes a synflood or DoS/DDoS attack. And yes for sure there a many other PCIe cards
out from Tilera that can be installed in ordinary existing server running pfSense.

But the real clou will be, that we are able to pay for such cards, but not really for the devices named some
posts above from me. It can be a real show-stopper to the bigger sold devices because FreeBSD must not
be touched really, the working SMP Linux is installed and homed on the cards NAND flash memory.

And the C2758, XG-1540 or following appliances would bea ble to hold one PCIe card as I see it right.
So I thing DDoS atacks could be also mitigated from 1 GBit/s to xx GBit/s.
Tilera EZ cards

Harvy66

An overly simplified say to look at it is how many cycles per packet are spent. If I have a 3ghz quad core cpu, that's 12ghz of peak processing power. If you assume a large 1,000 cycles per packet (proof of concept can get it as low as 100 cycles per packet), that leaves you with 12M-pps.

Ideally with breathing room, my quad core should be able to handle near line rate of 10Gb/s 64byte packets(half-duplex). Of course life isn't this simple. We have context switches, data bouncing between cores, complex routing, a bunch of firewall rules a user made, and a host of other reasons that need to be ironed out.

When I saw my computer crapping out with 30K-pps, that places the computational load around 400K cycles per packet, or 400x worse than my 10x above simple real world placing the current system somewhere between 400x and 4000x slower than it could be. That's a lot of room for optimizations.

All I'm saying, don't say it can't be done, it just requires a lot of the work that is already being talked about. The netmap people showed a single core 900mhz CPU doing line rate 10Gb/s with a very simple single entry route and no firewall, and that was being handled in userland, not the kernel, so it could be even faster. I can't wait for 3 years from now, I expect FreeBSD to be in a very good place with network performance.

NOYB

I always thought it backwards from a performance perspective for the firewall to be post NAT.  burning cycles NATing a bunch of traffic that is just going to be blocked anyway seems to be inefficient.

mer

@NOYB:

I always thought it backwards from a performance perspective for the firewall to be post NAT.  burning cycles NATing a bunch of traffic that is just going to be blocked anyway seems to be inefficient.

That is an interesting POV. (thinking out loud here)  Perhaps it depends on "what NAT" is involved.  Inbound NAT/redirect;  yes that makes a lot of sense to look at firewall first, but if the inbound traffic doesn't match any redirect/NAT rules then it doesn't really get NATted, does it?  Responses to outbound traffic that was NATted should be a lookup and simple state match, no?  Maybe firewall block rules, on the external interface, based on source information or dest port could actually be done prior to NAT.  Like if you are not running a webserver, "block in on $ext_if dest port 80" run before any NAT or redir would make sense.

In a "typical" NAT environment (most home users, maybe SOHO use), inbound traffic is related to traffic that originated behind the NAT so NAT before state checking is needed.

Maybe we also need to think about what happens when a packet is NATted or redirected too.  How much of the packet gets rewritten, what checksums need to get updated, is the checksum offloaded?

Guest

inbound traffic is related to traffic that originated behind the NAT so NAT before state checking is needed.

Thats the point I want to come closer to. If those traffic is generated to the outside, likes open a webpage,
the connection is placed in a connection table, if now the TCP/IP packets are coming back and wan to be
forwarded to the PC or machine hwo was calling for, the NAT process, must have a look in this connection
table if there is an opened connection entry in this table and then it will be forwarded to the PC or will be
dropped. OK for sure this can also be done native by the pfSense without such a card for sure, but if there
is then one or more opened ports, for the servers in the DMZ, it perhaps comes to the point where the pipe
gets rendered and only for this those cards I thought would be fine to do the job, proofing and dropping or
forward them.

And this is in my poor opinion the exactly point which is totally different each from other!

• The home or consumer grade SPI/NAT is doing something like the following:
  Deny all and then have a look in the connection table for an open connection from inside
  So it is wanted that all packets are staying outside.
• But the SPI/NAT way from the pfSense is doing it in the total turned around direction as I see
  it right, please correct me if I am wrong with this!
  Let them (TCP/IP packets) all in for inspect them by one or more rules
  So the many packets from an attack are able to get in and render or filling the pipe and nothing more goes.

bilal91

@NOYB:

@bilal91:

I have a very sensitive business which needs 100% up time,

Then, as mentioned by others, you probably need to hire a service to filter your traffic before it comes down the pipe from ISP to you.  Or if the ISP has the capability, get them to filter your traffic instead of just null routing.

I'm curious.  Do you have any inclination at all of who or the motive that is behind the attack?  Competitor, someone doesn't like you, disgruntled customer or employee, extortion, etc.?

Yup its a possible competitor that's for sure :)

bilal91

@johnpoz:

What I would like to know is what the OP was reading that pointed him to pfsense mitigating attacks?

"i found online to go with pfSense, i saw many people mitigating attacks with it too"

There are lots of threads here asking the same thing - and they always get the same answer, you can not stop a DDOS with a firewall..  So either he was not reading the full thread/article or misread the information?

If the OP business is so critical and of nature that ddos is of concern, they need to host services out of location that you can protect against it, not at your location at the end of a fiber connection provided by an ISP that doesn't provide any sort of ddos mitigation services.  And from the sounds of it - not even a firewall??

This is the scary part
"maybe some way to plug that main media converter Ethernet wire into firewall, but then what will be its wan ip? so confusing!"

How is this guy running a company based upon providing services connected to the internet?? I just don't get it…

Its a car tracking company, the data for cars comes in all the time, so yeah its a service connected to internet.

I read it somewhere but i knew software firewalls can't do it so i just wanted to clear it myself asking here to prove everyone whose saying they can stop UDP or Amp attacks with pfSense alone, i knew its impossible but i never saw someone denying it as in my knowledge and as in your knowledge. So things are clear now :)

And you're right some ISPs just suck and don't care to provide security to their end users, renting 6 dedicated servers were being a bit expensive for me so I didn't go online, but i guess I'll have no other choice in future if this continues, many online hosters will atleast provide you ddos solutions.